Verification Methods and Relationships
What are Verification Methods?
Verification methods are cryptographic material expressed in a DID document that enables a DID controller to prove control over a DID. Think of verification methods as the digital equivalent of keys, credentials, or other proof mechanisms that establish trustworthiness in physical encounters.
In the DID architecture, verification methods provide the foundation for all trust operations, enabling:
- Authentication of the DID controller
- Digital signatures for verifiable credentials and messages
- Encryption and decryption of communications
- Authorization for capability invocation and delegation
At their core, verification methods answer a fundamental question: "How can I verify that the entity claiming control of this DID is actually authorized to do so?"
The Structure of Verification Methods
Each verification method in a DID document follows a standard structure designed for clear expression of cryptographic material and its intended use.
Core Components
A verification method typically includes these elements:
- id: A unique identifier within the DID document
- type: The cryptographic signature suite (e.g., Ed25519VerificationKey2018)
- controller: The DID that controls this verification method
- Verification material: The cryptographic material itself, such as a public key
Here's an example of a verification method expressed in a DID document:
In this example:
- The key is identified as
did:example:123#key-1 - It uses the Ed25519 cryptographic algorithm
- It's controlled by the DID
did:example:123 - The public key is expressed in multibase format
Embedded vs. Referenced Verification Methods
Verification methods can be either:
- Embedded directly in the verification relationship property
- Referenced via their ID in the DID document
For instance, consider these equivalent approaches for authentication:
Referenced verification methods promote reusability and reduce redundancy within DID documents, particularly when the same cryptographic material serves multiple verification relationships.
Types of Verification Material
The DID Core specification supports several formats for expressing verification material to accommodate different cryptographic algorithms and representation formats.
Public Key Formats
The W3C DID Core specification defines several standard properties for expressing public keys:
| Property Name | Description | Example |
|---|---|---|
publicKeyMultibase | Public key encoded using the multibase format | "publicKeyMultibase": "zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" |
publicKeyJwk | Public key in JSON Web Key format | "publicKeyJwk": {"kty": "EC", "crv": "secp256k1", "x": "...", "y": "..."} |
publicKeyHex | Public key in hexadecimal format (deprecated) | "publicKeyHex": "02b97c30de767f084ce3080168ee293053ba33b235d7116a3263d29f1450936b71" |
Different DID methods may support or require specific formats. For interoperability, the DID Core specification recommends newer formats like multibase encoding, which provides self-describing, unambiguous representations of binary data.
Non-Cryptographic Verification Methods
While public key cryptography is the most common approach, verification methods can potentially include other proof mechanisms:
- Biometric verification: Though rarely used directly in DIDs due to privacy concerns
- Multi-party verification: Where control requires multiple parties to act in concert
- Delegated verification: Where verification authority is granted to another entity
Verification Relationships
Verification relationships express how verification methods can be used for different purposes. The DID Core specification defines five standard verification relationships, each with a specific function in the DID ecosystem.
1. Authentication
The authentication relationship designates which verification methods can be used to prove control over a DID for authentication purposes. When a system challenges the controller of a DID to authenticate, the controller uses a private key corresponding to one of the verification methods listed in the authentication relationship.
In this example, either key-1 or key-2 can be used to authenticate as the controller of this DID.
2. Assertion Method
The assertionMethod relationship identifies verification methods that can be used to assert statements on behalf of the DID subject. This relationship is crucial for creating verifiable credentials, where the issuer needs to cryptographically sign assertions about an entity.
This indicates that key-3 is authorized to make assertions (such as issuing verifiable credentials) on behalf of this DID.
3. Key Agreement
The keyAgreement relationship designates verification methods used for encrypted communications with the DID subject. These methods typically employ public key encryption algorithms that support secure key exchange.
In this case, a specific X25519 encryption key is designated for establishing secure communication channels.
4. Capability Invocation
The capabilityInvocation relationship identifies verification methods that can be used to invoke capabilities (authorized actions) as the DID subject. This enables object capability-based security models where specific authorization must be presented to perform certain actions.
This example shows that key-4 can be used to invoke capabilities (perform authorized actions) as this DID.
5. Capability Delegation
The capabilityDelegation relationship identifies verification methods that can be used to delegate capabilities on behalf of the DID subject. This allows the controller to authorize others to act on their behalf in specific ways.
This indicates that key-5 can be used to delegate capabilities (grant permissions) to others on behalf of this DID.
Relationship Between Verification Methods and Relationships
The distinction between verification methods and verification relationships is crucial for understanding the DID security model:
- Verification methods define the cryptographic material (what can be used)
- Verification relationships define the authorized purposes (how it can be used)
This separation creates a flexible, fine-grained security model where different keys can be authorized for different purposes, following the principle of least privilege.
For example, a DID document might include:
- A high-security key used only for authentication
- A regularly rotated key for everyday message signing
- A specialized encryption key for secure communications
- Limited delegation keys granted to specific services
Verification Methods in Vidos
Vidos provides a comprehensive framework for managing verification methods across different DID methods, offering:
Unified Verification Interface
The Vidos verifier service provides a consistent API for verification operations while supporting multiple cryptographic algorithms and DID methods. This allows applications to:
- Verify signatures using any supported verification method
- Check authorization for different verification relationships
- Process verification results with standardized metadata
Method-Specific Verification Support
Different DID methods may use specialized verification approaches based on their underlying technology. Vidos supports these through:
- Pluggable verification modules for different DID methods
- Support for method-specific cryptographic algorithms
- Configurable verification parameters based on security requirements
Key Management
Proper management of verification methods requires careful handling of both public and private keys. Vidos provides:
- Secure generation of verification methods
- Key rotation capabilities with cryptographic agility
- Relationship management tools for organizing verification methods
Best Practices for Verification Methods
When working with verification methods in DIDs, consider these recommended practices:
Security Considerations
- Key Rotation: Regularly rotate verification methods to limit the impact of potential key compromise
- Purpose-Specific Keys: Use different verification methods for different relationships
- Strong Algorithms: Choose cryptographically strong algorithms with appropriate key lengths
- Key Protection: Store private keys securely, preferably in hardware security modules for high-value DIDs
Usability Considerations
- Clear Naming: Use descriptive IDs for verification methods to clarify their purpose
- Consistent Types: Standardize on verification method types within your ecosystem
- Fallback Methods: Include multiple verification methods for critical relationships to provide fallback options
- Progressive Enhancement: Start with essential verification relationships and add more as needed
Interoperability Considerations
- Standard Formats: Prefer widely supported formats like JWK and multibase for maximum compatibility
- DID Method Support: Verify which verification methods are supported by your target DID methods
- Forward Compatibility: Consider including newer cryptographic algorithms alongside established ones
- Verification Relationship Clarity: Explicitly define all verification relationships rather than relying on defaults
The Future of Verification Methods
The landscape of cryptographic verification continues to evolve, with several emerging trends likely to affect DIDs:
- Post-Quantum Cryptography: As quantum computing advances, new verification method types resistant to quantum attacks will become essential
- Threshold Cryptography: Multi-signature and threshold verification methods will enable more sophisticated governance models
- Zero-Knowledge Proofs: Verification methods that support selective disclosure and minimal revelation will enhance privacy
- Biometric Integration: Secure ways to bind biometrics to verification methods without compromising privacy
- Hardware-Based Verification: Increased integration with secure hardware elements and trusted execution environments
Conclusion
Verification methods form the cornerstone of trust in the DID ecosystem by providing the cryptographic means to prove control, make assertions, establish secure communications, and manage capabilities. By carefully designing your verification method strategy, you can create DID documents that balance security, privacy, and usability while enabling the full range of interactions in decentralized identity systems.